pag. 59 CySecEscape 2.0—A Virtual Escape Room To Raise Cybersecurity Awareness Emanuel Löffler1, Bettina Schneider2, Petra Maria Asprion3, Trupti Zanwar4 1-4 University of Applied Sciences and Arts Northwestern Switzerland FHNW [email protected], [email protected], [email protected], [email protected] Abstract An increasing number of small and medium-sized enterprises (SMEs) use the Internet to support and grow businesses. The application of new technologies comes with inherent risks of ever-changing cyberspace and increasing cybercrime. Previous research has shown that the human factor remains the core element in the cybersecurity chain. Therefore, it is paramount that employees receive effective training to acquire a security mindset. This study puts forward previous research that resulted in a portable escape room game to raise cybersecurity awareness. The purpose of the study is to elaborate the transformation of the physical game into a virtual learning experience to increase flexibility in times such as the Covid-19 lockdown. As main method, we applied the design science framework of Hevner et al. As main result, the research elaborates the design of the developed artifact—a virtual prototype of the escape room game addressing the cybersecurity challenges of SMEs. For the evaluation of the prototype, empirical data was collected in qualitative and quantitative form. As main conclusions, we have observed that a physical escape room can be transformed into a virtual setting with little means without sacrificing player immersion. A limitation was identified in teaching targeted social engineering attacks. Keywords: Cybersecurity Awareness, Escape Room Game, Small and Medium-sized Enterprises, Design Science Research; 1 Introduction The rise of digitalization has significantly influenced how companies and their stakeholders interact, as it enables virtual business to be conducted over the Internet with no physical space to set up, and no assets to own or store. However, these promising opportunities are associated with novel risks such as cyber threats and cybercrime. Concerning large companies, the importance of cybersecurity has been recognized and resources are being mobilized to implement formal methods that promote awareness and adaptation of cybersecurity processes in their workforce [1]. Small and medium-sized enterprises (SMEs)—although representing the backbone of economies around the world—struggle with significantly tighter resource constraints, while facing similar cyber threats. According to recent surveys, the proportion of small firms reporting one or more incidents is at 41% [2], and lack of employee awareness remains the number one cause for security incidents [3]. Therefore, employee trainings are key for mitigating the risks posed by cyberspace. A sound awareness program ensures that people understand the organization's policies, their International Journal of Serious Games Volume 8, Issue 1, March 2021 ISSN: 2384-8766 http://dx.doi.org/10.17083/ijsg.v8i1.413 pag. 60 responsibilities in the field of cybersecurity as well as the proper use and protection of organizational assets. Several interactive training approaches have been designed in recent years, of which a very promising one is the escape room technique. Escape rooms are typically designed for recreational purposes, in which players face real-world simulated challenges as a team [4]. The usage of the escape room technique is growing for corporate training along with its recreational value [5]. This study addresses the cybersecurity awareness challenges of SMEs using this new training approach. The objective is to develop and evaluate a prototype to train employees in cybersecurity. The study is based on existing research results from a physical cybersecurity escape room that is played in the office environment of SMEs [6]. Facing the Covid-19 pandemic, escape rooms relying on physical presence in one room turned out to be a bottleneck. Prompt adaptation to the “new normal” was required and led our research team to transform our existing physical game into a virtual escape room variant. Our hypotheses for this paper are as follows: Adaptability: A physical escape room setting can be transformed into a virtual experience with few adaptations to the original concept. However, we make the assumption that a virtual setting needs more intentional distractions (decoys) because virtual objects do not allow creative interaction in the same way physical objects do. Participants in an online setting might address puzzles more directly. Immersion: In comparison to physical setups, a virtual escape room environment might be less immersive. Memory: Increased flexibility and standardization of the game through virtualization eases scaling and presumably fosters follow-up discussions between colleagues on how they solved the game, giving an advantage in memorizing through repetition. The remainder of the paper is structured as follows: Section 2.1 elaborates the Design Science Research methodology applied. Section 2.2 describes design guidelines for escape rooms from the literature and provides an overview of existing cybersecurity escape rooms. To embed the study in its environment, cybersecurity-related challenges of SMEs are outlined in Section 2.3. At the core of this research, in Section 3, the next revision—a virtual escape room game—is presented. In Section 4, the evaluation results of the virtual prototype are described and discussed. The paper closes with an outlook on areas for further research. 2 Methodology and previous work 2.1 Design science research as methodological framework As a methodological approach, the Design Science Research (DSR) guidelines were applied [7]. According to Hevner et al. [8], DSR must lead to an artifact, which could be a construct, model, method, or an instantiation. This was considered suitable for our research, which aims to yield a learning approach as a cybersecurity escape room. The DSR approach is moreover very appropriate as it aligns research processes with real-world problems, and as it helps integrating business with technical aspects. A first version—a physical, portable game called CySecEscape 1.0—was derived from the existing knowledge base and the SMEs’ environment in Switzerland. The prototype was improved based on the evaluation obtained by game executions and feedback rounds with SME employees. The results were published in the 2020 Future of Education Conference [6]. In this paper, we focus on a second version of the prototype. Due to the Covid-19 pandemic hitting Europe in 2020, the application of a cybersecurity escape room demanding physical presence has become a bottleneck. The second design cycle thus elaborates the transformation and enhancement International Journal of Serious Games Volume 8, Issue 1, March 2021 ISSN: 2384-8766 http://dx.doi.org/10.17083/ijsg.v8i1.413 E. Löffler et al., CySecEscape 2.0—A Virtual Escape Room To Raise Cybersecurity Awareness pag. 61 of CySecEscape 1.0 into a virtual learning experience, called CySecEscape 2.0. Figure 1 shows how the research framework was adapted. Figure 1. Hevner et al. framework adopted to the study As shown in the right box of Figure 1, the knowledge base is relevant for the rigor cycle. In a literature review, the design of escape rooms was analyzed and existing escape rooms in the field of cybersecurity were identified. The left box of Figure 1 is the environment, represented by SMEs in Switzerland and composes the relevance cycle. Based on recent publications, cybersecurity-related challenges of SMEs were collected. Two design loops are present, whereas the first resulted in the already existing and published CySecEscape 1.0, the second design loop is the core of this study and resulted in CySecEscape 2.0—a virtual escape room to raise cybersecurity awareness in SMEs. When evaluating the developed artifact, empirical data was collected by testing the game with selected SME representatives and full-time as well as part-time students. Two test rounds with SME-employees were conducted in groups of two with physical presence of a moderator documenting their interaction and questions and giving advice when needed. In this setting, a computer was provided for ideal playing conditions, leading to very positive feedback. In the student test rounds, learners were provided with a web link to play the prototype on their own devices during a remote lecture setting. Here, positive feedback prevailed as well. Nevertheless, more difficulties interacting with the interface were reported, which can be explained by the absence of a physically present moderator. Remote players were more prone to explore alternative solutions through inspecting the game source code, where a “hidden path” of playing was in place (see also 3.1.). 2.2 Escape room design and existing cybersecurity escape rooms In the escape room game setup, participants form a team attempting to solve puzzles with the help of clues and strategies to escape from a confined area in a given time span [5]. Escape room challenges involve activities demanding close coordination and teamwork such as situational awareness, task division and specialization, communication, leadership, as well as critical and lateral thinking [5]. During these immersive experiences, the individuals take the avatar of the in-game characters and feel very connected to the situation at hand. Several approaches to design an escape room can be found (e.g., [9][10]). The design framework by Clarke
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages12 Page
-
File Size-